RE: Contributing a mailet
Validating IP against the domain was one of many tests I was planning to do. It will probably block a few legal mail servers, but that should provide an incentive to add those servers/domains to DNS and be better net-citizens. The TMDA whitelist-centric strategy looks similar to what I was thinking of. But I find the email-based challenge/response might not be too difficult for spammers to circumvent. In any case they seem to have looked at many of the issues and is a great cross-check to ensure I did not miss something important. Thanks for the link!!! Bruno -Original Message- From: ext Noel J. Bergman [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 4:50 PM To: James Developers List Subject: RE: Contributing a mailet spammers are getting very smart about bypassing normal anti-spam tools. They have gone from being annoying, with dubious legal status for UCE, to being outright criminals. Spammers are behind the new worms that turn consumer systems into mail daemons. They can bypass whitelists by using the address books of the systems they have infected, and distributing the information so that databases of e-mail associations can be constructed. I feel that no other solution other than pure whitelisting will work in the long run. What alternative would you propose to whitelist-only email? Are you familar with www.tmda.net? There is a proposal where an MTA would validate that the IP address attaching to it is a valid server for the MAIL FROM domain. There are proposals to have servers sign messages to verify that the message did, indeed, originate from them. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Why fighting spam with whitelists doesn't work [was Re: Contributing a mailet]
Stefano, Thanks, you make a great point against reject emails. It was not my intent to create a new reject email but rather to reject it at the incoming SMTP message level. But, as Serge mentions, I might not be able to do include the URL to apply for whitelist at the SMTP reject level, and anyway the mailet API does not support such functionality. I was counting on such capabilities to do rejects without the annoying side effects you mentioned. I obviously need to do more research into how to properly reject without causing extra emails. As to a whitelisted sender being infected by a worm and sending spam, I do not see that as a big flaw, especially if you already have an anti-virus filter on your inbound mail filter chain (a normal precaution). I can't imagine a huge number of spams coming that way, and it would be easy to contact the sender and warn him of his infection. Impersonating someone in my whitelist would probably be an issue, but should be manageable if combined with additional inbound checks like validating IP against DNS. -Original Message- From: ext Stefano Mazzocchi [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 10:23 PM To: James Developers List Subject: Why fighting spam with whitelists doesn't work [was Re: Contributing a mailet] On 3 Feb 2004, at 17:16, [EMAIL PROTECTED] wrote: Stefano, I found your questions quite thought-provoking. Good. Would you mind answering a couple of questions? of course not. 1) I feel that no other solution other than pure whitelisting will work in the long run. A whitelist approach estimates that the send is a human being (so that is able to judge and take an action) and that the from: address was not forged. Both are pathetically wrong assumptions these days, especially after SoBig and MyDoom worm outbreaks. I have had my personal email address for many years and there are days when I receive over 1000 spams per day. Join the club. I am currently using several public blacklists and SpamAssassin set at its most aggressive setting, which worked for years until a few months ago, but now spammers are getting very smart about bypassing normal anti-spam tools. I use bayesian filtering (bogofilter because it's very fast). It's good enough for almost all sort of spam, but the random dictionary + image type. But that's easily modelled with a rule engine (but I receive so few of them lately that it's not even worth bothering writing one) Over the last two weeks, I had 4800 spam messages and only 50 false negatives (99% correctness) and no false positive so far (even if it's admittedly hard to tell, my filter is better than I am in rating spam, that's for sure) My bogofilter database contains something like 3 ham messages and 1 spam messages from my own inbox and it's 35Mb big. The database is retrained differentially every 5 minutes so that it adapts to messages I move from my inbox to the spam folder or the various ham folders [i use my 'outbox' as ham folder as well, since I'm likely to like email that looks like the one I send out] What alternative would you propose to whitelist-only email? a computational based approach for senders [see http://research.microsoft.com/research/sv/PennyBlack/] plus digital signatures for receives (so that you can check that the from address was forged or not) [see the one attached to this message] You will still need some sort of statistical analysis to remove that email that manages to come thru, but the volume would be dramatically reduced if they find a proper algorithm for the computation-based approach [which is very interesting problem from a research perspective] 2) I know that creating a new reply email directed to the from or reply-to address can be abused for relaying. no, that's not my concern. My concern is: if I'm *NOT* the one who sent that email, I don't want your stinking are you really you whitelist message because that's unsolicited email and that's exactly what we are trying to avoid in the first place! But wouldn't a reject of the incoming SMTP transaction itself (with an appropriate error message) go back ONLY to the real sender? what real sender? you have no way to tell if the from: address is really the guy who sent the email with some sort of trust facility... and trust is not something that you can take for granted or write an algorithm in a piece of software for. The point is that if somebody isn't willing to go through some necessary hassle the first (and only the first) time he sends email to me, then that person is not someone I want to hear from - EVER. I am assuming that the mailet API is called --before-- the transaction is complete. And of course, there are situations, like when joining a mailing list, where whitelisting would have to be done in advance by the recipient. But please correct me if I am wrong. It's not about being right or wrong, it's about assumptions. You
RE: Contributing a mailet
Angus, I apologize if I offended you in any way. I did read your reply, as well as every bit of information I could find on the Apache site in regard to this topic. I understand that by granting all intellectual rights to the ASF there is not much reason to sue the individual, and that the ASF is able to defend itself. But I live in the US and here there are very few laws that protect the individual from corporate abuse (although some states are better at it... unfortunately I literally live in the wild west), and frivolous lawsuits against the author are considered normal negotiating tactic. This which puts us authors at risk regardless of wrongdoing. But thanks anyway for the clarification. -Original Message- From: ext Danny Angus [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 4:51 PM To: James Developers List Subject: RE: Contributing a mailet But since I will not be protected from them, I don't think I can risk contributing it. I didn't say that, what I said, if you had given me the courtesy to read the reply I had the courtesy to send you was the ASF protects individuals against action being taken personally against them by itself being the owner, and licensor of the software. It is therefore a duty of all commiters to ensure that nothing is If you contributed your mailet, and *if* we chose to accept it, there would be nothing anyone could gain by sueing *you*. You would have granted a perpetual and irrevocable licence to the ASF to distribute your contribution under the terms of the ASFL, and therfore they would have to sue the ASF. We would be unlikely to accept a contribution that was likely to result in legal action, but we're certainly not going to reject a contribution which is entirely legitimate, no matter what commercial interests it might annoy. Consider how much httpd annoys Microsoft, should the ASF be nice and stop distributing that?.. hell no! d. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Contributing a mailet
Noel, Could you please tell me whether you are replying as a representative of the James project, or as a fellow contributor that knows the answers? Also, I did not see anywhere in the James site a list of contributed mailets... kind of strange considering that mailets are supposed to be the main purpose of James. I probably missed it. Can you point me to the right URL? In reply to your questions: a) I'll preface that the mailet I am implementing is not for everyone. I expect that 10% of administrators will find it too restrictive, while the rest will probably find it ideal. The mailet will reject all email from sources that were not preapproved in a whitelist. Associated tools will handle managing of the list and allow new HUMAN senders to request addition to the list in a manner that is not annoying to the receiving user. c) I have read the ASF license and related info (or as much as I could understand), and it seems acceptable since my primary goal is to end spam once and for all, but I'd like you to clarify a couple of points: 1. Will I be able to keep credit as the author of the mailet? If so, how? 2. If this anti-spam measure is as successful as I expect it to be, I fear that the spammers of the world will try anything to kill it and the Microsofts of the world will try to steal it. Because of it I have been sitting on this design for 3 years. Is it true that the Apache Software Foundation provides free legal defense for its contributors if they are sued as a consequence of a contribution? If it is not, I will not be able to contribute it and will have to go make it commercial just to make enough money to defend myself. Bruno -Original Message- From: ext Noel J. Bergman [mailto:[EMAIL PROTECTED] Sent: Friday, January 30, 2004 2:17 PM To: James Developers List Subject: RE: Contributing a mailet Bruno, I want to make sure that (a) It will be accepted as a contribution Can you provide more details on what kind of anti-spam mailet? (b) It is fully compliant with the standards Follow the sample mailets in the source distribution, keep the code clean and documented. (c) It is absolutely 100% public domain and cannot be subverted and used for commercial products or its design principles stolen and placed in somebody else's patent (so it will probably need to be GPL or something even stronger). This will not be acceptable, and will require us to reject your code. Please see http://www.apache.org/licenses/. ASF software projects must be licensed using the Apache Software License, and can be used for any purpose, including commercial. Furthermore, public domain and GPL are not compatible. --- Noel - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Contributing a mailet
My concern is simple. I do not believe there is anything in the design that would make it possible to successfully sue me. But it is a standard business practice among the less ethical corporations to sue frivolously to bankrupt their opponents and force them to either abandon or sell out a product. Because of it, if I am successful at stopping spam I am fairly certain that there will be many a frivolous lawsuit for that purpose. And as you state, the idea is so old that its origins are lost and therefore fully in the public domain, even though nobody has bothered to implement it in a viable way. My plan is to do so, in a way that is convenient to both recipients and desirable senders. And if enough people use it, a multi-billion dollar industry will feel it and the groundless lawsuits will start. But since I will not be protected from them, I don't think I can risk contributing it. I will probably still use James. But rather put it inside my application instead of having my application be part of James. If I understand the ASF license, it permits me to include James in my product, without any license fees. Is that correct? Bruno -Original Message- From: ext Danny Angus [mailto:[EMAIL PROTECTED] Sent: Monday, February 02, 2004 11:04 AM To: James Developers List Subject: RE: Contributing a mailet 2. If this anti-spam measure is as successful as I expect it to be, I fear that the spammers of the world will try anything to kill it and the Microsofts of the world will try to steal it. Because of it I have been sitting on this design for 3 years. Is it true that the Apache Software Foundation provides free legal defense for its contributors if they are sued as a consequence of a contribution? If it is not, I will not be able to contribute it and will have to go make it commercial just to make enough money to defend myself. Erm well not quite, the ASF protects individuals against action being taken personally against them by itself being the owner, and licensor of the software. It is therefore a duty of all commiters to ensure that nothing is knowingly admitted which would make us vulnerable to legal action. In practice this is about IP. By legitimately donating the code to the ASF you are no longer the person your imagined enemies would want to sue to stop the software from being distributed! However if your contribution doesn't violate and IP ownership or Patents then I fail to see how any *reasonable* piece of software could result in you being pursued. What exactly is there about your proposal, which in itself doesn't sound very novel, that makes you think anyone would sue you? d. *** The information in this e-mail is confidential and for use by the addressee(s) only. If you are not the intended recipient (or responsible for delivery of the message to the intended recipient) please notify us immediately on 0141 306 2050 and delete the message from your computer. You may not copy or forward it or use or disclose its contents to any other person. As Internet communications are capable of data corruption Student Loans Company Limited does not accept any responsibility for changes made to this message after it was sent. For this reason it may be inappropriate to rely on advice or opinions contained in an e-mail without obtaining written confirmation of it. Neither Student Loans Company Limited or the sender accepts any liability or responsibility for viruses as it is your responsibility to scan attachments (if any). Opinions and views expressed in this e-mail are those of the sender and may not reflect the opinions and views of The Student Loans Company Limi! ted. This footnote also confirms that this email message has been swept for the presence of computer viruses. ** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]